Linda Musthaler, a principal analyst with Essential Solutions Corp, recently posted a terrific article in Network World about the increasing ability of Software-Defined Perimeters (SDP) to bring trusted access to critical applications in public, private and multi-cloud environments. It accurately described how hybrid IT strategies are pushing more and more critical applications into cloud environments requiring heighted security requirements. At the same time, as the network perimeter becomes more permeable and elastic the need to enable accessibility while preventing unauthorized access to applications and data is more important than ever.
The article outlined the importance of applying a zero-trust strategy of “verification before trust” by incorporating stronger, stateful user and device authentication; granular access control; and enhanced segmentation no matter where the applications and resources reside. And it accurately noted the importance of SDP in order to achieve a truly secure zero-trust strategy – something that many zero-trust advocates have missed.
In addition to what the article explains, SDP also employs a Zero-Visibility approach by hiding the critical applications within the perimeter in spite of using public networks. A single packet that authorizes every connection is an effective way to render infrastructures invisible within the perimeter. By securing every connection to a service, application or critical infrastructure, SDP dynamically creates one-to-one connections between every authorized device, user and the data they access. SDP leverages an “authenticate first” approach to apply the principle of least privilege to the network and completely reduces the attack surface.
As a pioneer and partner in the development of SDP with the Cloud Security Alliance, Waverley Labs is pleased to see growing industry recognition of SDP. In her article, Musthaler accurately described the SDP architecture and recognition of its potential for a paradigm shift in cyber security. Waverley Labs sees the shift underway as service providers such as Verizon, QTS and Cyxtera are now offering or evaluating SDP as a service for its customers looking to migrate higher value applications into zero-trust public and multi-cloud environments.
For example, Waverley Labs is currently developing a cloud-based FICAM application protected by SDP. Customers are asking for compliance to the FICAM (Federal Identity, Credential, and Access Management) specification for organizations to enable the right individual to access the right resource at the right time for the right reason by integrating their physical and logical access control systems.
By moving the FICAM application into an AWS environment protected by SDP, Waverley was able to change the front end so users could easily register themselves and their devices to securely connect and use the app securely regardless of location. This approach can be effectively applied to any application that is moved to the cloud.
Service and Data Center providers offering public, private and multi-cloud cloud solutions can now easily offer SDP as a service allowing customers to extend their perimeter and enable zero-trust strategies.
SDP Use Cases in the Enterprise
- Simplified access for BYOD – Direct, secure, and easy access to cloud applications or resources directly from users’ devices of choice
- Third-party and privileged user access – Enable third-party and privileged access to critical systems from anywhere but with granular control per application or resource
- Application or network segmentation – Further reduce malware propagation and attack surface inside data center and cloud environments
- DevOps – Dynamic provisioning of secure access to enable DevOps user access to key resources and to isolate workloads
SDPs have been successfully deployed and proven effective by leading enterprises such as Coca-Cola, Mazda, and Google, and in the public sector by DHS, and continue to be tested in organized industry “hack-a-thons” (such as RSA) with an estimated 10 billion+ attempts to date – all unsuccessful.
To learn, more check out Waverley Labs who worked closely with the Cloud Security Alliance to develop the commercial SDP specification and has since delivered the industry’s first open source SDP as part of an award by the DHS to create new tools to defend against large and sophisticated Distributed Denial of Service (DDoS) attacks.